This tutorial in the category WordPress hacking shows you how to
scan WordPress for possible vulnerabilities and enumerate WordPress
users. We will conclude this tutorial with a demonstration on how to
brute force root passwords using WPScan in Kali Linux. WPScan is a black
box WordPress vulnerability scanner and a must have tool for any
WordPress web developer to scan for vulnerabilities and solve issues
before they get exploited. Together with Nikto, a great webserver assessment tool, this tool should be part of any penetration test targeting a WordPress Website.
WPScan comes pre-installed on the following Linux distributions:
The latest version is WPScan 2.8 and the database currently contains:
Total vulnerable versions: 98
Total vulnerable plugins: 1.076
Total vulnerable themes: 361
Total version vulnerabilities: 1.104
Total plugin vulnerabilities: 1.763
Total theme vulnerabilities: 443
Windows is not supported by WPScan. The latest version is available for download at the following website(Linux & Mac): http://wpscan.org/
WPScan update
Start with the following command to update the vulnerabilities database: wpscan –update
Scanning WordPress vulnerabilities
Than use the following command to scan a website for possible vulnerabilities: wpscan –url [wordpress url]
How to enumerate WordPress users
Use the following command to enumerate the WordPress users:
wpscan –url [wordpress url] –enumerate u
How to brute force the root password
Use the following command to brute force the password for user root: wpscan –url [wordpress url] –wordlist [path to wordlist] –username [username to brute force] –threads [number of threads to use]
How to avoid WordPress User Enumeration
If you want to avoid WordPress user enumeration, you should avoid
using the username as nickname and display name which is shown publicly.
Best option is to choose an administrator username which consists of
random characters and use another nickname. WPScan scans for usernames
in the URL’s so if you won’t use the username it cannot be scanned by
WPScan.
How to avoid Wordpres password brute forcing
The best way to keep attackers using brute force methods out is to
limit the login attempts for and IP address. There are several plug-ins
available for WordPress to limit login attempts. The latest WordPress
versions have this option by default. Make sure you limit entries to a
maximum of 3 and increase lock out time a lot after 2 lock outs (which
is 6 password attempts).